I am using the latest tag 4.0.4 of Starscream (https://github.com/daltoniam/starscream). I have created my own SSL Certificate using
openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365
On my backend, I use node.js to create the https server and create a websocket with the WebSocket-Node library (https://github.com/theturtle32/WebSocket-Node)
const httpsServer = https.createServer(
{
key: fs.readFileSync('./certs/key.pem'),
cert: fs.readFileSync('./certs/cert.pem')
});
httpsServer.listen(1234, function()
{
logger.log.info(filename + "Server is listening on port " + 1234);
});
var wsServer = new webSocketServer({
httpServer: httpsServer,
autoAcceptConnections: false
});
In Swift 5, I can connect to and communicate with the websocket using the following code
var request = URLRequest(url: URL(string: "wss://mydomain.com:1234")!)
request.timeoutInterval = 10
let pinner = FoundationSecurity(allowSelfSigned: true)
socket = WebSocket(request: request, certPinner: pinner)
socket?.delegate = self
socket?.connect()
However, the above does not use my certificate at all. I was expecting to have to import my .cer into xcode (add to the bundle), then set up the WebSocket using the certificate. Followed by some kind of handshaking or ssl challenge before the connection is accepted.
One issue I am running into is the new Starscream library does not have "socket.security" (like older versions appear to have) or anyway to add a certificate to the connection. So I cannot figure out how to add a cert to the socket.
// I've seen other post using "socket.security", but this does not
// appear to work anymore as "socket.security" doesn't exist
socket.security = SSLSecurity(certs: [ssl], usePublicKeys: true)
I don't know how my app is connecting and communicating without the certificate. This means anyone can communicate to my websocket if they know the domain and port #.
Shouldn't the httpsServer reject it?
Shouldn't I need to add the certificate to my app bundle and somehow configure the Websocket with it?
Primary Question: How can I secure my WebSocket so only my app (with the certificate) can communicate with my backend https websocket server?
I had posted a question here regarding setting the EnableSslCertificateVerification setting yo true how it doesn't work on Windows. SSL handshake fails.
I found out that this is solved by adding the SslCaLocation setting as follows:
"Dev-on-Windows": {
"commandName": "Project",
"environmentVariables": {
"Kafka__BootstrapServers": "myloadbalancer.myhost.corp:9094",
"Kafka__EnableSslCertificateVerification": "true",
"Kafka__SchemaRegistryUrl": "myschemareg.myhost.corp:8081,myschemreg2.myhost.corp:8081",
"Kafka__SecurityProtocol": "SaslSsl",
"Kafka__SslCaLocation": "cacert.pem",
"Kafka__SaslMechanism": "Gssapi",
"Kafka__ClientId": "DotNetCoreReferenceApplication",
"Kafka__ErrorTolerance": "Moderate",
"Kafka__Debug" : "all",
"ASPNETCORE_ENVIRONMENT": "Development"
},
"applicationUrl": "https://localhost:5001;http://localhost:5000"
},
Where cacert.pem file is simply the concatenation of the signatures PKs of the certificates. That works.
I am not sure why that is needed when ideally it should be able to check the trusted root store on Windows.
UPDATE
Two certs are required. One of them is in the Trusted Root Certificate Authorities and the other is in the Intermediate Certificate Authorities.
I removed the SslCaLocation configuration and simply imported the second certificate from the Intermediate store to the Root store and it worked.
Does Confluent Client Lib for Kafka / librdkafka for Windows not look into the Intermediate Certificate Store?
I am running a JEE app on a Wildfly server behind an Apache reverse proxy. Using the keycloak-client-adapter it connects to a Keycloak server also behind a apache reverse proxy. Both reverse proxies terminate the SSL connecion and connect to the Wildfly server by http.
When I am opening the JEE app, I am redirected to Keycloak and after I have entered my password I am also redirect to my app - all on SSL through the reverse proxy. But then I get a 403 - the reason for this: The App Wildfly tries to connect to Keycloak to validate the token on http. This is neither allowed ("ssl-required": "all" in keycloak.json and setup in realm) nor is http active at all.
From the app wildfly server.log
Adapter requires SSL. Request: http://www.domain.tld/myapp/
I have setup the reverse proxy of Keycloak according to the documentation, .well-known/openid-configuration looks good - all URLs are https
keycloak.json
{
"realm": "myrealm",
"auth-server-url": "https://sso.domain.tld/auth",
"ssl-required": "all",
"resource": "myresource",
"verify-token-audience": true,
"credentials": {
"secret": "secret"
},
"use-resource-role-mappings": true,
"confidential-port": 443,
"policy-enforcer": {}
}
Settings of the reverse proxy for the app
ProxyPreserveHost On
ProxyPass /myapp http://127.0.0.1:8080/myapp
ProxyPassReverse /myapp https://www.domain.tld/myapp
Anyone an idea how to force https on the validation? That should be the last step to get the setup running.
I have two projects, one with documentation and one as the actual app.
When I access http://localhost:3000/docs my webpack setup is redirecting me to another server which is on http://localhost:4000 and where the documentation lives.
The redirect is happening but when it tries to load dependencies (.js, .css) the request is made on the original port (3000) and not the port 4000.
How can I redirect the server requests for the second website?
My webpack setup:
proxy: {
"/docs/**": {
target: "http://localhost:8080",
pathRewrite: { "^/docs": "" },
changeOrigin: true,
secure: false,
}
}
With have a ADF application on Weblogic 10 that has occasional access to a Java applet. The Java applet is loaded whenever it's needed and not loaded whenever it isn't. The applet is currently in the public_html/applet folder.
When we set the SSL configuration to requiring a client certificate, when the Java applet loads, it'll constantly ask for a client certificate:
Request Authentication
Identification required. Please select certificate to be used for authentication.
This is annoying to users and the Java Applet doesn't need authentication. Is there any way we can disable the authentication or remove the prompt?
Here's the embedded applet code:
Edit: Things I've already tried:
1) Setting the Applet up on HTTP instead of HTTPS; I get a warning about mixed content and still get the authentication pop-up.
2) Created a minimal applet that only types out "HELLO WORLD" in the console, still get the authentication pop-up
Here's the console window:
Java Plug-in 1.6.0_35
Using JRE version 1.6.0_35-b10 Java HotSpot(TM) Client VM
User home directory = C:\Users\mfan
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
basic: Added progress listener: sun.plugin.util.GrayBoxPainter$GrayBoxProgressListener#1df073d
basic: Plugin2ClassLoader.addURL parent called for https://192.168.130.99/app/applet/HelloWorld.jar
network: Cache entry not found [url: https://192.168.130.99/app/applet/HelloWorld.jar, version: null]
network: Connecting https://192.168.130.99/app/applet/HelloWorld.jar with proxy=DIRECT
network: Connecting http://192.168.130.99:443/ with proxy=DIRECT
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecacerts
security: Loaded SSL Root CA certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading Deployment SSL certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecerts
security: Loaded Deployment SSL certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecerts
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment session certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
security: KeyUsage does not allow digital signatures
(and here's where the prompt comes up).
You said that your applet not requires client authentication so you can put your applet jars on http location. Then you have to specify the codebase parameter to this http location. For example if you put your jar as a resource on http://public.test/somewhere/myApplet.jar you can specify:
codebase = http://public.test/somewhere/
archive = myApplet.jar
However I think that this is probably a configuration issue, you can configure your web server to request a client certificate authentication optionally an not required on applet location.
Hope this helps,
EDIT:
You can put your webLogic behind a proxy (like apache http server), an configure proxy to require the client certificate only in a specific location. A configuration sample for apache http server case looks like:
##
## SSL Virtual Host Context
##
<VirtualHost myHost:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/server.crt
SSLCertificateKeyFile conf/server.key
SSLVerifyClient none
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData
JkMount /myWeb loadBalancer
JkMount /myWeb/* loadBalancer
<Location /myWeb/login/certificateLoginLocation>
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCACertificateFile conf/trustedCA.cer
SSLVerifyClient optional
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule .* http://myHost/myWeb/accesForbbiden.htm
</Location>
</VirtualHost>
well, i not sure about weblogic, i am using jboss and i know that there is no way to do this.
so what we did is install an apache in front, served as reverse proxy
and the configuration look
Listen vgw_mgmt:443
<VirtualHost vgw_mgmt:443>
DocumentRoot /srv/www/
SSLEngine on
SSLCipherSuite HIGH
SSLProtocol all -SSLv2
SSLOptions +ExportCertData +StdEnvVars
SSLCertificateFile /etc/httpd/ssl/server-mgmt.pem
SSLCertificateKeyFile /etc/httpd/ssl/server-mgmt.key
SSLVerifyDepth 3
SSLCACertificateFile /etc/httpd/ssl/trustedca-mgmt.pem
SSLVerifyClient none
ProxyPass /webmgr/ ajp://webapps:8009/webmgr/
<Location /webmgr/>
SSLVerifyClient optional
</Location>
<Location /webmgr/javascript/>
SSLVerifyClient none
</Location>
</VirtualHost>
so, whenever user hit https : // pro xy /webmgr/, client authentication is prompt (the reason we use "optional" instead of "required", is because we want to display nice error page tell customer you need to provide cert to login)
and, my applet stored inside /webmgr/javascript/applet.jar
so when applet load
<applet archive="applet.jar" codebase="/webmgr/javascript/" name="jsapplet" id="jsapplet" code="myapps.mylittleprogram" height="1" width="1"></applet>
it will skipped the client authentication.
Since our application is on http and https, I just set the archive to http:// and it works fine now.